From 4088897f8337018f9ca55d63b10d2bfaddf46f0e Mon Sep 17 00:00:00 2001
From: Djalal Harouni <tixxdz@gmail.com>
Date: Mon, 18 Mar 2024 17:58:10 +0100
Subject: [PATCH] bpf: read the task real parent

[ Upstream main branch a2251c15d972c38956 ]

Use real_parent instead of parent in case parent is overwritten.

Signed-off-by: Djalal Harouni <tixxdz@gmail.com>
---
 bpf/lib/bpf_task.h | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/bpf/lib/bpf_task.h b/bpf/lib/bpf_task.h
index 83df7a66df4..9d2258fec3e 100644
--- a/bpf/lib/bpf_task.h
+++ b/bpf/lib/bpf_task.h
@@ -23,7 +23,8 @@ get_parent(struct task_struct *t)
 {
 	struct task_struct *task;
 
-	probe_read(&task, sizeof(task), _(&t->parent));
+	/* Read the real parent */
+	probe_read(&task, sizeof(task), _(&t->real_parent));
 	if (!task)
 		return 0;
 	return task;
@@ -115,7 +116,7 @@ __event_find_parent(struct task_struct *task)
 
 #pragma unroll
 	for (i = 0; i < 4; i++) {
-		probe_read(&task, sizeof(task), _(&task->parent));
+		probe_read(&task, sizeof(task), _(&task->real_parent));
 		if (!task)
 			break;
 		probe_read(&pid, sizeof(pid), _(&task->tgid));
@@ -165,7 +166,7 @@ event_find_curr(__u32 *ppid, bool *walked)
 			break;
 		value = 0;
 		*walked = 1;
-		probe_read(&task, sizeof(task), _(&task->parent));
+		probe_read(&task, sizeof(task), _(&task->real_parent));
 		if (!task)
 			break;
 		probe_read(&pid, sizeof(pid), _(&task->tgid));